I found a bug about neutron port forwarding and Detailed operations are as follows:
first,create a VPC,
1)openstack address scope create my_project_id
2)openstack network create my_network
3)openstack subnet pool create <network id> --address-scope <project id> --pool-prefix "10.0.114.0/24"
4)openstack subnet create --network <network id> --subnet-pool <subnet pool id> --subnet-range 10.0.114.0/25 <subnet name>
5)openstack router create my_router
6)openstack router set jidd-router1 --external-gateway <exxternal network id> --enable-snat
7)openstack router add subnet <router id> <subnet id>
second,create a vm by the network above
And,config floating ip port forwarding.
for example, external ip and port: 10.142.254.158, 8870; internal port: 10.0.99.29,8870
It can not reach form a external ip to 10.142.254.158 using telnet.
Found that, packet is dropped in snat namespace, becase of packet is marked different labels between qg-xxx interface and sg-xxx interface.
hit rules:
0 0 DROP all -- * sg-4ddcbea1-c6 0.0.0.0/0 0.0.0.0/0 mark match ! 0x4000000/0xffff0000
In the future, if marking a bug report as a suspected security vulnerability, please explain why you think this may represent a risk (for example, with a hypothetical exploit scenario demonstrating how an attacker may take advantage of the flaw to gain otherwise unintended access or cause damage to the system or other tenants).